If you want to set up a small network of computers on chaosvpn behind a NetBSD 5.2 router, this is the document for you.

+

The purpose of this document is a step-by-step process to install and configure a VPN router that will serve as a router or firewall for a number of computers behind NAT. This document will assume that addresses are all staticly assigned.

−

====Edit /root/.profile====

+

Still a work in progress.

+

+

To do:

+

+

Stuff on Carp redundancy?

+

pf?

+

+

+

+

== Setup pkgsrc and networking ==

+

+

+

+

=== Set up pkgsrc repository ===

+

+

Edit the file '''''/root/.profile'''''<br />

Change the path for the pkgsrc repo to:<br />

Change the path for the pkgsrc repo to:<br />

ftp://ftp.netbsd.org/pub/pkgsrc/packages/NetBSD/i386/5.0/All/

ftp://ftp.netbsd.org/pub/pkgsrc/packages/NetBSD/i386/5.0/All/

−

---

+

The file will be read-only, use ''':wq!'''

−

vi /etc/ifconfig.fxp0

−

192.168.0.20{1,2} netmask 255.255.255.0

+

=== Set up network interfaces ===

−

---

+

Edit the file '''''/etc/ifconfig.fxp0'''''

−

vi /etc/sysctl.conf

+

This will the the external (wan) interface.

+

+

Insert the contents:

+

192.168.0.201 netmask 255.255.255.0

+

+

+

Edit the file '''''/etc/ifconfig.fxp1'''''

+

+

This will be the internal network (lan) interface.

+

+

Insert the contents:

+

10.100.44.1 netmask 255.255.255.0

+

+

=== Ensure IP forwarding is set up ===

+

+

Edit the file '''''/etc/sysctl.conf '''''

+

+

Insert the contents:

net.inet.ip.forwarding=1

net.inet.ip.forwarding=1

−

---

−

vi /etc/resolv.conf

+

=== Specify your DNS server ===

+

+

+

Edit the file '''''/etc/resolv.conf'''''

+

+

Insert the contents:

nameserver 64.59.184.13

nameserver 64.59.184.13

−

---

−

vi /etc/rc.conf

+

=== Specify basic settings in rc.d to set up networking ===

−

hostname=chaosvpn{1,2}.440bx.net<br />

+

Edit the file '''''/etc/rc.conf'''''

−

defaultroute=192.168.0.1<br />

+

+

Append the following to the end of the file:

+

+

hostname=chaosvpn.440bx.net

+

defaultroute=192.168.0.1

sshd=yes

sshd=yes

−

---

−

useradd -m -G wheel chaosvpn_user<br />

+

=== Create a new user to do tasks that don't require root ===

−

passwd chaosvpn_user

+

+

# useradd -m -G wheel chaosvpn_user

+

# passwd chaosvpn_user

−

---

+

== Continue with the installation of ChaosVPN ==

−

continue with the steps at:

+

Continue with the steps at:

https://wiki.hamburg.ccc.de/ChaosVPN:NetBSDHowto

https://wiki.hamburg.ccc.de/ChaosVPN:NetBSDHowto

+

= Recompile the kernel to add IPfilter and CARP support =

−

---

+

Now that ChaosVPN is up and running, there are a few more things that have to be done to get this machine set up to do NAT routing.

−

===Recompile the kernel===

−

make directories

+

+

== Preparing to recompile the kernel ==

+

+

+

=== Make Directories ===

# mkdir /usr/src

# mkdir /usr/src

# chown chaosvpn_user /usr/src

# chown chaosvpn_user /usr/src

−

get the actual source

+

+

=== Get the actual source ===

+

This does not have to be done as a root user. You can do this as the '''''chaosvpn_user''''' user that was created earlier.

+

$ ftp -i ftp://ftp.NetBSD.org/pub/NetBSD/NetBSD-5.2/source/sets/

$ ftp -i ftp://ftp.NetBSD.org/pub/NetBSD/NetBSD-5.2/source/sets/

mget *.tgz

mget *.tgz

−

extract

+

+

=== Extract the files ===

$ for i in *.tgz

$ for i in *.tgz

Line 68:

Line 116:

done

done

−

after you realize youve extracted to the wrong dir

+

+

=== After you realize youve extracted to the wrong directory ===

$ mv /usr/src/usr/src/* /usr/src

$ mv /usr/src/usr/src/* /usr/src

−

copy config stuff

+

+

=== Copy config stuff ===

+

+

It's best to not work in the vanilla configuration files. We will make a copy of the GENERIC configuration file.

ipfilter is installed by default on Netbsd 5.2 No special packages are required.

−

---

+

== Configure ipfilter startup settings ==

'''remove this next bit later if testing shows that statically linking in kernel actually works'''<br />

'''remove this next bit later if testing shows that statically linking in kernel actually works'''<br />

−

Set ipfilter to run by default

−

vi /etc/rc.conf

+

=== Set ipfilter to run by default ===

+

+

Edit the file '''''/etc/rc.conf'''''

+

+

Append the following to the end of the file:

ipfilter_enable="YES"

ipfilter_enable="YES"

−

#ipfilter_rules="/etc/ipf.rules"

+

ipfilter_rules="/etc/ipf.rules"

ipmon_enable="YES"

ipmon_enable="YES"

ipmon_flags="-Ds"

ipmon_flags="-Ds"

Line 140:

Line 203:

−

---

+

=== Set up ipfilter to log ===

−

+

For now, we want ipfilter to log

−

for now, we want ipfilter to log

+

# touch /var/log/ipfilter.log

# touch /var/log/ipfilter.log

−

vi /etc/syslog.conf

+

Edit the file '''''/etc/syslog.conf'''''

+

+

Append the following to the file:

local0.* /var/log/ipfilter.log

local0.* /var/log/ipfilter.log

−

---

−

vi /etc/ipnat.rules

+

=== Set up IPNat rules ===

+

+

+

Edit the file '''''/etc/ipnat.rules'''''

+

+

Insert the following:

+

map fxp1 10.100.0.0/16 -> 0.0.0.0/32 portmap tcp/udp 00000:65000

map fxp1 10.100.0.0/16 -> 0.0.0.0/32 portmap tcp/udp 00000:65000

map fxp1 10.100.0.0/16 -> 0.0.0.0/32

map fxp1 10.100.0.0/16 -> 0.0.0.0/32

+

= Other Setup =

+

+

+

At this point in the game, you should have a functional router for your NAT chaosvpn network. The "fxp0" interface should be connected to the Internet, and the "fxp1" internface should be connected to your hub or switch for the internal network. You should be able to browse chaosvpn from behind a NAT now!

Basic setup after a vanilla install of NetBSD 5.2

If you want to set up a small network of computers on chaosvpn behind a NetBSD 5.2 router, this is the document for you.
The purpose of this document is a step-by-step process to install and configure a VPN router that will serve as a router or firewall for a number of computers behind NAT. This document will assume that addresses are all staticly assigned.

Set up IPNat rules

Other Setup

At this point in the game, you should have a functional router for your NAT chaosvpn network. The "fxp0" interface should be connected to the Internet, and the "fxp1" internface should be connected to your hub or switch for the internal network. You should be able to browse chaosvpn from behind a NAT now!